Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using NodeJs with Firebase - Security

Due to the need to do some server side code - mainly sending emails I have decided to use Nodejs & Express for the server side element along with Firebase to hold the data - Partly from a learning experience.

My question is whats the best approach with regards to using the client side Firebase library and the Nodejs library when doing authentication using the Simple Email & Password API. If I do the authentication client side and then subsequently call a different route on the NodeJS side will the authentication for that user be carried across in the request. What would be the approach to test the user is authenticated within Node.

One approach I assume is to get the current users username & password from firebase and then post these to NodeJS and then use the firebase security API on the server to test.

like image 567
markbarton Avatar asked Feb 03 '13 15:02

markbarton


People also ask

Is Nodejs good for security?

Node. js is one such technology that developers use for web application development. It is designed to be completely secure.

Can we use Firebase with node js?

Firebase provides the tools and infrastructure you need to develop, grow, and earn money from your app. This package supports web (browser), mobile-web, and server (Node. js) clients.

Is Firebase as a backend secure?

As a default Firebase database has no security, it's the development team's responsibility to correctly secure the database prior to it storing real data. In Google Firebase, this is done by requiring authentication and implementing rule-based authorization for each database table.


1 Answers

Essentially the problem here is you need to securely convey to your NodeJS server who the client is authenticated as to Firebase. There are several ways you could go about this, but the easiest is probably to have all of your client<->NodeJS communication go through Firebase itself.

So instead of having the client hit a REST endpoint served by your NodeJS server, have the client write to a Firebase location that your NodeJS server is monitoring. Then you can use Firebase Security Rules to validate the data written by the client and your server can trust it.

For example, if you wanted to make it so users could send arbitrary emails through your app (with your NodeJS server taking care of actually sending the emails), you could have a /emails_to_send location with rules something like this:

{   "rules": {     "emails_to_send": {       "$id": {         ".write": "!data.exists() && newData.child('from').val() == auth.email",         ".validate": "newData.hasChildren(['from', 'to', 'subject', 'body'])"       }     }   } } 

Then in the client you can do:

ref.child('emails_to_send').push({   from: '[email protected]',    to: '[email protected]',    subject: 'hi',    body: 'Hey, how\'s it going?' }); 

And in your NodeJS code you could call .auth() with your Firebase Secret (so you can read and write everything) and then do:

ref.child('emails_to_send').on('child_added', function(emailSnap) {   var email = emailSnap.val();   sendEmailHelper(email.from, email.to, email.subject, email.body);    // Remove it now that we've processed it.   emailSnap.ref().remove(); }); 

This is going to be the easiest as well as the most correct solution. For example, if the user logs out via Firebase, they'll no longer be able to write to Firebase so they'll no longer be able to make your NodeJS server send emails, which is most likely the behavior you'd want. It also means if your server is temporarily down, when you start it back up, it'll "catch up" sending emails and everything will continue to work.

like image 194
Michael Lehenbauer Avatar answered Oct 02 '22 10:10

Michael Lehenbauer